Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Once hacked, the TVs display a message saying: “[Public Service Announcement] PewDiePie, the number #1 subscribed channel on YouTube is about to be overthrown by Indian music company T-Series. Please go on Youtube and subscribe to him ASAP.”

The Swedish-born comedian and video game commentator, whose real name is Felix Kjellberg, is currently going head-to-head with T-Series, an Indian music record label and film company, for the top YouTube spot. Both YouTubers’ channels have at least 73 million subscribers.

According to a website for the latest campaign, the duo targeted a router setting called Universal Plug and Play (UPnP), which is used to help smart devices easily connect to other devices on a private network – however, the feature can also publicly expose the devices’ internet ports if configured that way.

In a Tweet, one of the hackers, @j3ws3r, said on Thursday: “Our Chromecast and smart-TV hack is now complete… never leave a port open someone can mess with.”

Our chromecast and smart TV hack is now complete. Thank you and please, stay say, and most importantly: never leave a port open someone can mess with.https://t.co/H2WOHQNkE8

According to the attack website, more than 4,000 TVs have been impacted by what the hackers are dubbing “CastHack” – however, that number has not been confirmed by Google.

Click to Expand

The effort has gained traction over the past day, with PewDiePie calling out the incident on Twitter as “doing God’s work.” However, dozens of impacted TV watchers took to Reddit to complain.

According to the website describing the hack, users can stop the hack and secure their devices by disabling UPnP on the router.

“We have received reports from users who have had an unauthorized video played on their TVs via a Chromecast device,” a Google spokesperson told Threatpost. “This is not an issue with Chromecast specifically, but is rather the result of router settings that make smart devices, including Chromecast, publicly reachable.”

A Series of Support Hacks

The hacking duo that took responsibility for the attack – known through their Twitter names, @HackerGiraffe and @j3ws3r – were also behind a security fiasco earlier in December where they commandeered 50,000 printers globally to print pamphlets promoting the star. Also, a separate hack later in December tricked another hundreds of thousands of printers to print the pamphlets.

These efforts have inspired other similar attacks, including the defacement of a web page owned by the Wall Street Journal in December.

However, the two denounce the WSJ attack via Twitter, saying that it took away from their purpose of highlighting insecure devices on the internet:”I don’t support defacement. Now @j3ws3r and I will be painted all across media as evil hackers that promoted kids to illegally hijack a media company’s website to promote @pewdiepie.”

Since launching the latest offensive against Chromecast devices, @HackerGiraffe has since appeared to have deleted his or her Twitter, but posted a PasteBin message saying: “I just wanted to inform people of their vulnerable devices while supporting a YouTuber I liked. I never meant any [harm], nor did I ever have any ill intentions.”

The attack has showcased the insecurity of Internet of Things (IoT) devices, with security expert Kevin Beaumont calling out the publicly exposed devices on Twitter: “Google have got to get better that this stuff, see also ADB being configurable w/o authentication. The people here are also renaming the Wifi networks as, yes, you can also do that remotely – stops the device owner easily stop the video playing.”

Google have got to get better that this stuff, see also ADB being configurable w/o authentication. The people here are also renaming the Wifi networks as, yes, you can also do that remotely – stops the device owner easily stop the video playing.

Meanwhile, Pen Test Partner’s Ken Munro said that hundreds of thousands of Chromecast devices remain public on Shodan.

Whilst Chromecast #casthack site is now down, this doesn't mean the bug is fixed.Still >160,000 live Chromecasts public on @shodanhqAnd >200,000 on https://t.co/uBMEizE54Z – these have precise location for local de-auth attack too…

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.